This package ships a vulnerable version and need to be patched. Debian has a patch. AddressSanitizer: heap-buffer-overflow WRITE of size 1 https://security-tracker.debian.org/tracker/CVE-2015-5522 small file can lead to a 4 Gb allocation; potential DoS https://security-tracker.debian.org/tracker/CVE-2015-5523 Reproducible: Always
Created attachment 412860 [details, diff] patch issued by tidy-html5 fork Adresses both CVE's https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=792571
CVE-2015-5523 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5523): The ParseValue function in lexer.c in tidy before 4.9.31 allows remote attackers to cause a denial of service (crash) via vectors involving multiple whitespace characters before an empty href, which triggers a large memory allocation. CVE-2015-5522 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5522): Heap-based buffer overflow in the ParseValue function in lexer.c in tidy before 4.9.31 allows remote attackers to cause a denial of service (crash) via vectors involving a command character in an href.
Sylvia - Do you want to pick up the package as a proxy maintainer? Please take a look at https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers and see if you are interested.
This package has no maintainers, and no one is picking it up. Do we want to tree clean?
It has plenty of reverse dependencies that need to be handled first :|
Pacho, any updates on this?
The package is in maintainer-needed, feel free to apply the patch if possible :/ , I don't have the time for handling all the packages in maintainer-needed, I try to help on them when possible and, as they are orphan, any dev can go ahead and fix them if wanted :| For this case, I think the only solution is to try to apply the patch, it cannot be treecleaned with so many reverse deps
I believe dev-ruby/tidy-ext bundles the tidy code, so I assume it is also affected by these issues.
Any relation to app-text/tidy-html5 ?
(In reply to Aaron Bauman from comment #9) > Any relation to app-text/tidy-html5 ? Please see dev mailing list, some discussion about this there.
I have added dev-ruby/tidy-ext-0.1.14-r3 with this patch applied. While I was at it I also added app-text/htmltidy-20090325-r2 with the patch applied.
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
Please test and mark stable: app-text/htmltidy-20090325-r2 dev-ruby/tidy-ext-0.1.14-r3 ia64, sparc: you need to finish bug 565114 first, or drop stable keywords from dev-ruby/tidy-ext.
Both stable on alpha.
Stable for HPPA.
Stable for PPC64.
arm stable
Created attachment 438954 [details] tidy-ext-0.1.14-r3:20160627-074010.log build log
(In reply to Agostino Sarubbo from comment #18) > Created attachment 438954 [details] > tidy-ext-0.1.14-r3:20160627-074010.log > > build log There was a script failure, please do not consider this attachment.
amd64 stable
ppc stable
x86 stable
sparc stable
ia64 stable. Maintainer(s), please cleanup. Security, please vote.
Vulnerable versions have been removed Note that the security bug was already closed before that.
(In reply to Hans de Graaff from comment #25) > Vulnerable versions have been removed > > Note that the security bug was already closed before that. Sorry about that.
*** Bug 671452 has been marked as a duplicate of this bug. ***